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(54) Method of loading commands in the security module of a terminal 



(57) The Invention provides a method of loading 
commands (Cl , C2, ..) in a security module (2) of a ter- 
minal (1), the method comprising the steps of: a station 
(4) transferring the commands (C1-Cn) to the terminal 
(1), the terminal (1) transferring the commands (C1-Cn) 
to the security module (2). the security module (2) exe- 
cuting the commands (C1-Cn), the terminal (1) record- 
ing actual results (R1*-Rm') of the executed commands 



(C1-Cn), and the transfer means (3) transferring the 
results (Rr-Rm*) back to the station (4), The commands 
may have associated expected results (e.g. R1). which 
the terminal (1) may compare with the actual results 
(e.g. RV). This allows both a flexible loading of data in 
the security module (2) by means of commands and a 
remote check of the functioning of the security module. 
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Description 

BACKGROUND OF THE INVENTION 

The present invention relates to a method of load- 
ing commands in the security module of a terminal. 
More specifically, the present invention relates to the 
controlled loading of data in the security module of a 
smart card operated terminal by means of the execution 
of commands. 

Terminals, such as vending machines or public tel- 
ephones, often comprise a securrty module for securely 
storing usage data. Such payment data are e.g. the 
number of times the terminal has been used, the 
amount of money spent by consumers at the particular 
terminal, or the number of telephone metering pulses 
the (telephone) terminal has collected. A security mod- 
ule, which Is mechanically protected against abuse, 
comprises electronic memory means (such as counters 
and EEPROM) for registering payment data and for 
storing keys. A security module may further comprise 
processing means for processing data, such as usage 
data. Such processing means normally comprise a 
microprocessor running programs consisting of com- 
mands stored in the security module. The processing 
often comprises the cryptographic protection of the 
usage data In order to prevent fraud. 

It Is often necessary to update the data stored in a 
security module, e.g. for adding new functions or modi- 
fying existing functions. Data may be added or altered 
using commands, the execution of which effects the 
desired addition or alteration. However, the functioning 
of the additions and alterations needs to be verified. 
This is especially true since security modules often 
store monetary data or their equivalents. 

Thus the need arises to be able to load such new 
data into the security module and to verify their effects, 
i.e. the proper functioning of the modifications brought 
alx>ut by those data. As in practice it will be necessary 
to effect changes in security modules In many different 
locations, verifying the functioning of those security 
modules constitutes a problem. The Prior Art does not 
offer a solution for this problem. 

SUMMARY OF THE INVENTION 

It is an object of the Invention to overcome the 
above-mentioned and other disadvantages of the prior 
art and to provide a method which allows data to be 
loaded Into the security module of a terminal and to ver- 
ify the proper functioning of the commands using those 
data. It Is a further object of the Invention to provide a 
method which allows the remote function check of a 
security module. It is another object of the present 
invention to provide a method which allows the terminal 
to be transparant with respect to the commands. 

Accordingly, the present invention provides a 
method of loading commands in a security module of a 
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terminal, the method comprising the steps of: 

a station transferring the commands to the terminal 
via a transfer means. 
5 - the terminal transferring the commands to the secu- 
rity module, 

the security module executing the commands, 
the terminal recording results of the executed com- 
mands, and 

10 - the transfer means transferring the results to the 
station. 

The station may be a remote terminal management 
agency. The transfer means may e.g. be a telephone 
15 line or a (special purpose) card which Is inserted into 
the terminal. 

By recording the results of the executed com- 
mands, it is possible to remotely check the proper func- 
tioning of the security module. Preferably, the 

20 commands are transferred to the terminal as part of a 
script file, the terminal extracting the respective com- 
mands from the script file and passing them to the secu- 
rity module. Advantageously the script file contains 
information allowing the selective recording of results. 

25 i.e. allowing the results of some commands to be regis- 
tered, while the result of other commands are not regis- 
tered. This makes it possible to control the loading of 
certain commands into the security module by requiring 
the proper execution of the previous command, while 

30 allowing other commands (e.g. commands of which the 
results are unpredictable) to be loaded without Imposing 
a restriction. 

As the terminal substantially only transfers the com- 
mands to the secure module, the terminal Is effectively 
35 transparant with respect to the commarxJs. This makes 
the terminal substantially independent of the particular 
security module used. 

BRIEF DESCRIPTION OF THE DRAWINGS 

40 

The invention will further be explained with refer- 
ence to the accompanying drawings, in which: 

Rg, 1 schematically shows a terminal in which the 
45 method of the present invention may be used. 

Fig. 2 schematically shows an example of the struc- 
ture of a script file containing commands to be 
loaded. 

50 EXEMPLARY EMBODIMENTS 

The embodiment shown schematically and by way 
of example in Fig. 1 comprises a terminal 1. connected 
via a telephone link 3 with a station (terminal manage- 
55 ment centre) 4. As will be explained below, the station 4 
may serve both to make script files and to verify the 
functioning of the terminal 1 . The terminal 1 comprises 
at least one security module 2 which during normal use 
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of the terminal 1 communicates with a smart card 5. 

In order to load commands and execute into the 
security module 2 while having the possibility to check 
their proper functioning, as provided by the present 
invention, a script file is made in the station 4. The script 
file, which will further be explained with reference to Fig. 
2. contains the commands to be loaded and executed, 
thus effecting a data transfer to andJor from the security 
module 2. Preferably, the terminal 1 verifies the origin of 
the commands, i.e. the terminal checks whether the 
commands were produced by or at least sent by the sta- 
tion 4. This verification, which serves to prevent fraudu- 
lent modifications of the contents of the security 
module, may be effected by comparing a received MAC 
(message authentication code) with a MAC calculated 
by the terminal. Such verfication procedures are well 
known in the art. 

As shown irt-Fig. 2. a script file S may contain a 
header H and a number of records, each record com- 
prising a type field Ti (e.g. T1). a command field Ci (e.g. 
C1 ) and a result field Ri (e.g. R1 ). The result field Ri may 
be empty, as will be explained later. A command may 
contain data to be written in the memory of the security 
module, such as a key for encrypting usage data. How- 
ever, a command may also contain an instruction to be 
executed by the security module 2. A suitable format of 
the commands Ci (i ranges from 1 to 4 in Fig. 2) is e.g. 
disclosed in the IS07816-4 standard. 

The type field Ti allows different types of commands 
to be distinguished. In the method of the present inven- 
tion, three different types of commands can be distin- 
guished, resulting in three different types of command 
handling by the terminal. 

A first type of command has an associated 
expected result or response R. This type of command is 
preferably loaded one by one in the security module, the 
terminal comparing the actual result Ri* with the 
expected result Ri and stopping the loading if a discrep- 
ancy I.e. a mismatch between Ri and Ri' occurs. With 
this type of command it is possible to perform a control- 
led loading of the security module and to check the 
proper functioning of the security module while loading. 

A second type of command is not accompanied by 
an expected response (i.e. the response field Ri may be 
empty). However, the terminal preferably registers the 
actual responses. This type of command allows a test of 
the security module to be performed, especially in the 
case where an unknown type of security module (of 
which the responses are not completely known In 
advance) is used. The results may be entered in a log 
file which card be collected later Thus an off-line 
processing of the commands is possible. 

A third type of command is loaded into the security 
module without taking the result into account. That is. 
the result of this type of command is not registered by 
the terminal. 

It will be understood that the above-mentioned 
results of the commands may comprise memory con- 



tents, a status (e.g. indicating a failed write operation), 
and/or a smart card command. The said commands 
may thus effect a data transfer to and/or from the secu- 
rity module. 

5 As explained above, the terminal extracts the com- 

mands from the script file and passes them to the secu- 
rity module. Although the terminal is passive with 
respect to the connmands. it is active with respect to the 
script file in that it extracts the commands from the file 

10 and derives its mode of operation (check result/no 
check) from the type fields contained in the script file. 
The script file thus comprises information which influ- 
ences the functioning of the terminal with respect to the 
script file arxi the commands derived from it. 

15 The script file may comprise only a single com- 
marxi. However, the size of the script file may vary and 
is limited only by the amount of memory available in the 
terminal. It can also be envisaged that the script file 
contains commands in a compressed and/or crypto- 

20 graphically protected form. 

The method of the present invention thus allows 
both a flexible loading of data in the security module and 
a remote check of the functioning of the security mod- 
ule. 

25 It will be understood by those skilled in the art that 
the embodiments described above are given by way of 
example only and that many modifications and addi- 
tions are possible without departing from the scope of 
the present invention. 

30 

Claims 

1. Method of loading commands (C1 , C2. ..) in a secu- 
rity module (2) of a terminal (1), the methcxd com- 

35 prising the steps of: 

a station (4) transferring the commands (C1- 
Cn) to the terminal (1) via a transfer means (3). 
the terminal (1) transferring the commands 
40 (CI -Cn) to the security module (2), 

the security module (2) executing the com- 
mands (Cl-Cn), 

the terminal (1) recording results (RIVRm*) of 
the executed commands (C1-Cn),and 
45 ' the transfer means (3) transferring the results 
(Rl'-Rm') to the station (4). 

2. Method according to claim 1. wherein the com- 
mands are transferred to the terminal (1) as part of 

50 a script file (S), the terminal (1) extracting the 
respective commands (Cl-Cn)from the script file 
(S) and passing them to the security module (2). 

3. Method according to claim 2. wherein the script file 
55 (S) contains information (T1 -Tn) allowing the selec- 
tive recording of results (RV-Rm'). 

4. Method according to claim 2 or 3. wherein the script 



BNSOOCID: <EP 0825739A1 J_> 



5 



EP 0 825 739 A1 



file (S) is made in the verification station (4). 

5. Method according to any of the preceding claims, 
wherein the script file (S) contains the expected 
result (e.g. R3) of each command (e.g. C3), 5 

6. Method according to claim 5. wherein each com- 
mand (e.g. Cl) is transferred to the security module 
(2) individuady. the terminal (1) comparing the 
expected result (e.g. R3) with the actual result (e.g. io 
R3') and stopping the transferring if a mismatch is 
detected. 

7. Method according to any of the preceding claims, 
wherein the transfer means (3) Is a telecommunica- is 
tions link, such as a telephone connection. 

8. Method according to any of the preceding claims, 
wherein the transfer means (3) comprises a card to 

be inserted in the terminal (1). 20 

9. Method according to any of the preceding claims, 
wherein the terminal (1). before transferring the 
commands (Cl-Cn)to the security module (2). veri- 
fies whether the commands originate from the sta- 25 
tion (4). 

1 0. Terminal (1) comprising a security module (2). char- 
acterized in that the terminal (1) comprises means 

for registering results (Rl-Rm) of commands (C1- so 
Cn)executed by the security module (2). 



35 



40 



45 



50 



55 



4 

BNSOOCfD: <EP 0825739AlJ_> 



1 n 


EP 0 825 739 A1 


H 
\ 

> -, 


s n : 








3 
) 







F .5. 1 

S 

L 



H 


T 1 


^ 1 


12. 1 


T 2 


C 2_ 




T 3 


C 3 


U3 


TH 


C 4 





5 

BNSDOCID: <EP 0825739A1 J_> 



EP 0 825 739 A1 



J 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 96 20 2293 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Citation of document with indication, nherc appropriate, 
of rckvant passages 



Category 



Relevant 
to daim 



CLASSinCATION OF THE 
APPLICATION (Int.CL6) 



X 
Y 



US-A-4 972 478 (DABBISH) 

* column 1, line 35 - column 2, line 7 * 

* column 3, line 37 - line 46 * 

U5-A-5 495 571 (CORRIE ET AL.) 

* column 2, 1 ine 29 - 1 ine 44 * 

* column 3, 1 ine 44 - 1 ine 57 * 

* column 4, line 19 - line 26 * 

* column 6, line 36 - line 47 * 

FR-A-2 657 445 (GEMPLUS) 

* page 2, line 3G - page 3. line 15 * 

* page 4, line 16 - page 5, line 22 * 

EP-A-D 368 752 (BULL CPS) 

* column 2, line 41 - column 3, line 26 * 

* column 4, line 56 - column 5, line 6 * 

* column 6, line 18 - line 58 * 

US-A-4 777 355 (TAKAHIRA) 

* column 2, line 7 - line 27 * 

* column 3, 1 ine 24 - 1 ine 38 * 

* column 5, line 36 - column 6, line 11 * 



1,10 
2 



HQ4L9/00 
G07F7/10 



1.7,8 



1,9 



1>6,10 



TECHNICAL RELOS 
SEARCHED (Int.CL6) 



H04L 

607 F 



The present search report has been dra«m up for all claims 



THE HAGUE 



DjIc of CD9^tiiom at the %tMxk 

9 January 1997 



Exmiatr 

Holper, G 



I 

C 



CATEGORY OF CITEU DOCUMENTS 

X : particularly relevant if taken alone 

Y : partiatlaily rdevani if combined with another 

docurnent of the same category 
A : fechnotogicai background 
O : non-written disclosure 
P : intermediate document 



T : theory or priadpie underlying the tnventioa 
E : earlier patent dooiroent, but published on, or 

after the filiitg date 
D : document cited in the application 
L : document dted for other reasotks 

& : member of the same patent family, corresponding 
document 



BNSOOCID: <EP 0825739A1_I_> 



6 



